malwarewikiaorg-20200223-history
BASHLITE
BASHLITE (also known as Gafgyt, Lizkebab, Qbot, Torlus and LizardStresser) is malware which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS).[1] Originally it was also known under the name Bashdoor,[2] but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.[3] The original version in 2014 exploited a flaw in the bash shell - the Shellshock software bug - to exploit devices running BusyBox.[4][5][6][7] A few months later a variant was detected that could also infect other vulnerable devices in the local network.[8] In 2015 its source code was leaked, causing a proliferation of different variants,[9] and by 2016 it was reported that one million devices have been infected.[10][11][12][13] Of the identifiable devices participating in these botnets in August 2016 almost 96 percent were IoT devices (of which 95 percent were cameras and DVRs), roughly 4 percent were home routers - and less than 1 percent were compromised Linux servers. Behavior BASHLITE is written in C, and designed to easily cross-compile to various computer architectures.[9] Exact capabilities differ between variants, but the most common features[9] generate several different types of DDoS attacks: it can hold open TCP connections, send a random string of junk characters to a TCP or a UDP port, or repeatedly send TCP packets with specified flags. They may also have a mechanism to run arbitrary shell commands on the infected machine. There are no facilities for reflected or amplification attacks. BASHLITE uses a client–server model for command and control. The protocol used for communication is essentially a lightweight version of Internet Relay Chat (IRC).[14] Even though it supports multiple command and control servers, most variants only have a single command and control IP-address hardcoded. It propagates via brute forcing, using a built-in dictionary of common usernames and passwords. The malware connects to random IP addresses and attempts to login, with successful logins reported back to the command and control server. References #'Jump up^' Cimpanu, Catalin (Aug 30, 2016). "There's a 120,000-Strong IoT DDoS Botnet Lurking Around". Softpedia. Retrieved 19 October 2016. #'Jump up^' Liam Tung (September 25, 2014). "First attacks using shellshock Bash bug discovered". ZDNet. Retrieved 25 September 2014. #'Jump up^' Ashford, Warwick (30 June 2016). "LizardStresser IoT botnet launches 400Gbps DDoS attack". www.computerweekly.com. Retrieved 21 October 2016. #'Jump up^' Kovacs, Eduard (November 14, 2014). "BASHLITE Malware Uses ShellShock to Hijack Devices Running BusyBox". www.securityweek.com. Retrieved 21 October 2016. #'Jump up^' Khandelwal, Swati (November 17, 2014). "BASHLITE Malware leverages ShellShock Bug to Hijack Devices Running BusyBox". thehackernews.com. Retrieved 21 October2016. #'Jump up^' Paganini, Pierluigi (November 16, 2014). "A new BASHLITE variant infects devices running BusyBox". securityaffairs.co. Retrieved 21 October 2016. #'Jump up^' "Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware". Trend Micro. September 25, 2014. Retrieved 19 March 2017. #'Jump up^' Inocencio, Rhena (November 13, 2014). "BASHLITE Affects Devices Running on BusyBox". Trend Micro. Retrieved 21 October 2016. #^ [https://en.wikipedia.org/wiki/BASHLITE#cite_ref-Level3_9-0 Jump up to:a''] [https://en.wikipedia.org/wiki/BASHLITE#cite_ref-Level3_9-1 ''b] [https://en.wikipedia.org/wiki/BASHLITE#cite_ref-Level3_9-2 c''] [https://en.wikipedia.org/wiki/BASHLITE#cite_ref-Level3_9-3 ''d] "Attack of Things!". Level 3 Threat Research Labs. 25 August 2016. Retrieved 6 November 2016. #'Jump up^' "BASHLITE malware turning millions of Linux Based IoT Devices into DDoS botnet". fullcirclemagazine.org. Sep 4, 2016. Retrieved 21 October 2016. #'Jump up^' Masters, Greg (August 31, 2016). "Millions of IoT devices enlisted into DDoS bots with Bashlite malware". SC Magazine. Retrieved 21 October 2016. #'Jump up^' Spring, Tom (August 30, 2016). "BASHLITE Family Of Malware Infects 1 Million IoT Devices". threatpost.com. Retrieved 21 October 2016. #'Jump up^' Kovacs, Eduard (August 31, 2016). "BASHLITE Botnets Ensnare 1 Million IoT Devices". www.securityweek.com. Retrieved 21 October 2016. #'Jump up^' Matthew Bing (29 June 2016). "The Lizard Brain of LizardStresser". Arbor Networks. Retrieved 6 November 2016. Category:Botnet Category:Linux Category:Linux Botnet